Go API & Developer Terms of Service

Developer Resources Included for Vendors

You don’t need a developer to sell on UPMOS – the Bloom Dashboard does almost everything. But if you have engineering resources, here’s what’s included. This summary is provided for convenience – the full agreement below is the legally binding text.

• Bloom Dashboard is free. Add/edit products, manage orders, view metrics, run ads – all without writing a line of code, on every plan including the free Guarantee 30 tier.
• Free Basic developer support. Email support, full API docs, community forums, sandbox environment, and ALL 7 official SDKs – $0/month, included with every plan.
• Real-time webhooks. 16+ event types delivered as instant HTTP callbacks – orders, shipments, returns, listing flags – no polling needed.
• Generous quota. API access (a paid annual subscription — see current pricing) includes a generous monthly GET-call allowance, with predictable per-call overage rates.
• Sandbox environment. Test your integration end-to-end at sandbox-api.upmos.com without touching your live store.
• Seven official SDKs. Pre-built SDKs across multiple languages – no need to write your own HTTP client or worry about request signing.
• Premium support tier. A paid Premium tier upgrades you to a 4-business-hour response SLA, named account manager, private Slack channel, monthly integration reviews, and beta API access.
• Build apps for other sellers. Premium developers can list their integrations in the UPMOS app marketplace – turn your tool into a revenue stream.

Quick Navigation

• Overview & Purpose
• When Would You Use the API?
• Definitions
• Access & Authentication
• API Response Standards
• Rate Limits & Quotas
• HTTP Status Codes
• API Endpoints Overview
• License Grant & Restrictions
• Data Usage & Privacy
• Security Requirements
• API Service Level Agreement
• Versioning & Deprecation
• SDK & Client Libraries
• Sandbox & Testing
• Webhook Events & Delivery
• Prohibited Uses
• Liability & Disclaimers
• Suspension & Termination
• Contact & Support
• Developer Support Tiers
• General Provisions

Overview & Purpose

These API & Developer Terms of Use (“API Terms”) govern your access to and use of the Upmos Marketplace Application Programming Interfaces (APIs), software development kits (SDKs), webhooks, developer documentation, and related tools and services (collectively, the “Go APIs” or “Vendor API Access” as listed in the Advertising & Sponsored Products Terms §8.1). By accessing or using any Go API, you agree to be bound by these API Terms, the Marketplace Participation Agreement (MPA), the Non-Disclosure & Confidentiality Agreement, and all related policies.

Upmos Entity: Upmos Inc., 9896 Bissonnet St, Houston TX 77036, USA

Contact: developers@upmos.com | 1-855-MERCHED (1-855-637-2433)

Developer Portal: developers.upmos.com (rolling out)

When Would You Use the Go API?

The Go API — formally listed as Vendor API Access in the Go Partner Program (§8.1) — is an optional, Tier 2 add-on — it is not required to sell on Upmos. Most sellers manage their store entirely through the Bloom Dashboard (the web-based seller portal). However, the API becomes valuable when you need to automate, integrate, or scale beyond what the dashboard provides.

Who Uses the API?

Common Scenarios: When to Opt Into API Access

Do You Need the API?

How to Get Started

1. Enroll in the Go Partner Program — Visit §8.1 of the Advertising & Sponsored Products Terms to subscribe to Vendor API Access (annual subscription — see current pricing). API access is not available outside the Go Partner Program.
2. Accept these Terms — API access is governed by this Go API & Developer Terms of Use. Continued use constitutes acceptance.
3. Get your API keys from the Bloom Dashboard → Settings → API & Integrations
4. Review your plan: see current pricing for the annual subscription fee, the included monthly GET-call allowance, and overage rates
5. Start in sandbox: Test your integration at sandbox-api.upmos.com with full API access and test data
6. Go live: Switch to api.upmos.com when your integration passes verification
7. Need help? Basic support (free) or Premium support — see Developer Support Tiers

API vs. Dashboard — Quick Comparison

Definitions

• API (Application Programming Interface): A set of protocols, routines, and tools that enable software applications to communicate with the Upmos Marketplace platform
• API Key: A unique identifier and secret token pair issued to authenticated developers/sellers to access the Go APIs
• OAuth 2.0: The authorization framework used by Go APIs for delegated access and token-based authentication
• Webhook: An HTTP callback that delivers real-time notifications to a developer-specified endpoint when specific events occur (e.g., order placed, shipment updated)
• SDK (Software Development Kit): A collection of libraries, code samples, documentation, and tools provided by Upmos to facilitate API integration
• Sandbox Environment: A testing environment that mirrors the production API without affecting real data, orders, or transactions
• Rate Limit: The maximum number of API requests permitted per unit of time (second, minute, hour, or day)
• Throttling: The automatic reduction of API request processing speed when rate limits are approached or exceeded
• Idempotency Key: A unique identifier attached to API requests to ensure the same operation is not executed multiple times due to retries
• Third-Party Developer: An individual or entity that builds applications or integrations using the Go APIs on behalf of sellers, but who is not themselves an Upmos seller
• CORS (Cross-Origin Resource Sharing): A security mechanism that controls which web domains may make requests to the Go API from browser-based applications
• Pagination: The method of dividing large sets of API results into smaller pages, using cursor-based or offset-based navigation to retrieve data incrementally
• OpenAPI Specification: The machine-readable API contract (formerly Swagger) that documents all Go API endpoints, parameters, request/response schemas, and authentication requirements
• Endpoint: A specific URL path (e.g., /api/v1/products) that provides access to a particular resource or action within the Go API
• Burst Limit: The maximum number of API requests allowed in a very short window (typically 1-2 seconds) before throttling is applied, separate from sustained rate limits

Access & Authentication

Eligibility

• API access requires an active Upmos seller account in good standing
• Third-Party Developers must register in the Upmos Developer Program and complete the application review process (5-10 business days)
• All API users must accept these API Terms and the NDA before API keys are issued

Authentication Methods

API Key Security

• API keys and secrets must be stored securely using environment variables, secrets managers, or encrypted vaults. Hardcoding credentials in source code is prohibited
• API keys must never be exposed in client-side code, browser JavaScript, mobile app bundles, or public repositories (GitHub, GitLab, etc.)
• Sellers must rotate API keys at least annually and immediately upon suspected compromise
• Upmos continuously scans public repositories for exposed API keys and will automatically revoke any compromised credentials with immediate notification
• Each integration should use a separate API key. Sharing keys across multiple applications or sellers is prohibited

API Response Standards

Response Format

• All API responses are returned in JSON format (Content-Type: application/json; charset=utf-8)
• All text data is encoded in UTF-8. Non-ASCII characters are returned as native Unicode, not escaped sequences
• All date and time values use ISO 8601 format (YYYY-MM-DDTHH:mm:ssZ) in UTC timezone unless otherwise specified
• Monetary values are returned as integers in the smallest currency unit (e.g., cents for USD). A field currency accompanies all monetary fields
• Boolean fields use true/false (not 0/1 or “yes”/“no”)
• Null fields are included in responses with explicit null values rather than being omitted

Pagination

• List endpoints use cursor-based pagination by default for consistent results across large datasets
• Each paginated response includes: data (array of results), has_more (boolean), next_cursor (string, if more results exist)
• Default page size: 25 items. Maximum page size: 100 items (set via ?limit= parameter)
• Legacy offset-based pagination (?page=&per_page=) is available but deprecated. Migrate to cursor-based pagination by December 2027

CORS Policy

• The Go API supports CORS for whitelisted origins. Browser-based applications must register their domains in the Developer Portal
• Preflight (OPTIONS) requests are automatically handled. Allowed methods: GET, POST, PUT, PATCH, DELETE
• Credentials (Access-Control-Allow-Credentials) are supported for OAuth-authenticated browser sessions
• Wildcard origins (*) are never permitted for authenticated endpoints

Request Standards

• Request bodies must use JSON format with Content-Type: application/json header
• File uploads use multipart/form-data encoding with a maximum file size of 50 MB
• All mutating requests (POST, PUT, PATCH, DELETE) should include an Idempotency-Key header to prevent duplicate operations
• Query parameters use snake_case naming (e.g., ?created_after=2026-01-01)
• Array parameters in query strings use bracket notation: ?status[]=active&status[]=pending

OpenAPI Specification

• The complete API specification is available in OpenAPI 3.1 format at developers.upmos.com/openapi.json (published with the Developer Portal, rolling out)
• Interactive API documentation with “Try It” functionality is available at the Developer Portal
• Code generation tools (e.g., OpenAPI Generator) can use the spec to generate client libraries in any language

Rate Limits & Quotas

Standard Rate Limits

Infrastructure Note: Upmos is hosted on Microsoft Azure (Azure App Services & Azure API Management), which can handle thousands of requests per second. The limits below are business-level controls designed to ensure fair, consistent performance across all sellers on the platform — not infrastructure constraints.

Plan names are shown for reference only. For current subscription tiers, limits, and pricing, see Vendor Plan Details & Pricing.

Rate Limiting Mechanism

The Go API uses a token bucket algorithm to manage request rates and bursts — the same industry-standard mechanism used by Amazon SP-API, Azure API Management, and other major cloud platforms.

This approach ensures fair resource allocation across all sellers while allowing legitimate traffic bursts during peak operations such as inventory syncs, bulk repricing, or order processing.

Rate Limit Headers

Every API response includes the following rate limit headers:

• X-RateLimit-Limit: Maximum requests allowed in the current window
• X-RateLimit-Remaining: Number of requests remaining in the current window
• X-RateLimit-Reset: Unix timestamp when the rate limit window resets
• Retry-After: Seconds to wait before retrying (included only when rate limited)

Rate Limit Exceeded (HTTP 429)

• When rate limits are exceeded, the API returns HTTP 429 Too Many Requests with a Retry-After header
• Implement exponential backoff with jitter for retry logic. Linear retry strategies are discouraged
• Persistent rate limit violations (>100 429 responses per hour) may result in temporary API suspension

Quota Increases

• Sellers requiring higher rate limits may request a quota increase through the Developer Portal or by contacting developers@upmos.com
• Quota increase requests are evaluated based on use case, historical usage patterns, and account standing
• Approved increases take effect within 3 business days

HTTP Status Codes Reference

The Go API uses standard HTTP status codes to indicate the result of each request. All error responses include a JSON body with error_code, message, and request_id fields for debugging.

Success Codes

Client Error Codes

Server Error Codes

Error Response Format

All 4xx and 5xx responses include a standardized error body:

• error_code: Machine-readable error identifier (e.g., INVALID_PARAMETER, RATE_LIMITED)
• message: Human-readable error description
• request_id: Unique request identifier for support debugging
• errors (optional): Array of field-level validation errors with field, code, and message
• documentation_url (optional): Link to relevant API documentation

API Endpoints Overview

The Go API is organized around RESTful resources. All endpoints are accessed via https://api.upmos.com/v1/ (production) or https://sandbox-api.upmos.com/v1/ (sandbox).

Core Resource Categories

Bulk Operations

• Endpoints supporting bulk operations accept up to 1,000 items per request
• Bulk operations are processed asynchronously and return a job_id for status tracking via /v1/jobs/{job_id}
• Bulk product imports support CSV, JSON, and XML formats
• Bulk results are available for download for 7 days after completion

License Grant & Restrictions

License Grant

Subject to your compliance with these API Terms, Upmos grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use the Go APIs solely for the purpose of integrating with the Upmos Marketplace in connection with your seller account or authorized Third-Party Developer application.

Restrictions

• No Resale: You may not sell, lease, sublicense, or otherwise commercialize access to the Go APIs themselves
• No Competitive Use: You may not use the Go APIs to build, operate, or market a competing marketplace platform
• No Circumvention: You may not use the APIs to circumvent platform fees, referral fees, rate limits, or security controls
• No Reverse Engineering: You may not reverse engineer, decompile, or disassemble the Go APIs or attempt to derive source code
• No Misrepresentation: You may not imply endorsement, partnership, or affiliation with Upmos beyond your actual relationship
• Attribution: Applications using the Go APIs must include the attribution: “Powered by Upmos Marketplace API” in a reasonably visible location

Data Usage & Privacy

Data You May Access

• Your Seller Data: Product listings, orders, inventory, pricing, performance metrics, and account information associated with your seller account
• Buyer Data (Limited): Order-specific buyer information (name, shipping address) solely for fulfillment purposes. No buyer data may be stored beyond 90 days after order completion unless required by law
• Marketplace Data: Category information, fee schedules, and other publicly available marketplace reference data

Data Usage Restrictions

• Data obtained through the APIs may only be used in connection with the Upmos Marketplace and the authorized Purpose
• You may not sell, share, or transfer data obtained through the APIs to any third party (except shipping carriers for fulfillment)
• You may not aggregate, anonymize, or de-identify buyer data for use outside the Upmos ecosystem
• You must comply with GDPR, CCPA, and all applicable privacy laws in storing and processing data obtained through the APIs
• You must implement a data retention policy that deletes buyer personal data within 90 days of order completion, unless a longer retention period is required by law
• If a buyer exercises their right to deletion under GDPR or CCPA, Upmos will notify you via webhook, and you must delete the relevant data within 30 days

PCI-DSS Compliance

The Go APIs do not expose payment card data. All payment processing is handled by Upmos’s PCI-DSS Level 1 certified payment processor. Developers must not attempt to capture, store, or intercept payment card information through any integration.

Security Requirements

Mandatory Security Practices

• HTTPS Only: All API communication must use TLS 1.2 or higher. HTTP connections are rejected
• Webhook Verification: All webhook payloads include an HMAC-SHA256 signature in the X-Upmos-Signature header. You must verify this signature before processing any webhook event
• Input Validation: All data sent to the API must be properly validated and sanitized. SQL injection, XSS, and other injection attacks are monitored and may result in immediate API access revocation
• Secure Storage: Tokens, keys, and secrets must be stored in encrypted form (AES-256 or equivalent) at rest
• Audit Logging: Maintain logs of all API interactions for a minimum of 12 months, including timestamps, endpoints called, and response codes
• Dependency Management: Keep all SDKs, libraries, and dependencies up to date. Known vulnerabilities in dependencies must be patched within 30 days of disclosure

Compliance & Certifications

• SOC 2 Type II examination reports, once available, will be provided under NDA to Booming, Reserve, and Loyalty plan sellers upon request
• A Data Processing Agreement (DPA) is available for GDPR compliance upon request — email privacy@upmos.com
• Upmos undergoes annual third-party penetration testing. Summary findings are available to Booming, Reserve, and Loyalty plan sellers upon request via security@upmos.com (a Developer Portal security center is rolling out)

Vulnerability Reporting

• Upmos operates a Responsible Disclosure Program. If you discover a vulnerability in the Go APIs, report it to security@upmos.com
• Do not exploit or publicly disclose vulnerabilities before Upmos has had reasonable opportunity to remediate (minimum 90 days)
• Valid vulnerability reports may be eligible for recognition in Upmos’s Security Hall of Fame

API Service Level Agreement

Uptime Commitment

Service Credits

• If API availability falls below 99.9% in a calendar month, eligible sellers receive API usage credits:
• 99.0% – 99.9%: 10% credit on that month’s API-related charges
• 95.0% – 99.0%: 25% credit
• Below 95.0%: 50% credit
• Credit requests must be submitted within 30 days of the affected month via the Developer Portal (rolling out) or by emailing support@upmos.com
• Service credits are your sole and exclusive remedy for any failure to meet the uptime commitment in this Service Level Agreement.

Maintenance Windows

• Planned Maintenance: Communicated 72 hours in advance via the Developer Portal, API status page, and email. Typically scheduled for Tuesdays 2:00–6:00 AM CT
• Emergency Maintenance: Communicated as soon as practicable. Upmos uses rolling deployments to minimize impact
• Status Page: Real-time API status available at the API status page (rolling out)

Versioning & Deprecation

API Versioning

• The Go API uses URL-based versioning (e.g., /api/v1/, /api/v2/)
• Each major version is supported for a minimum of 24 months after the release of the next major version
• Minor and patch updates are backward-compatible and do not require version changes

Deprecation Policy

• 12-Month Notice: Upmos provides at least 12 months’ notice before deprecating any major API version
• 6-Month Notice: For individual endpoint deprecation within a supported version
• Deprecation Headers: Deprecated endpoints include Sunset and Deprecation HTTP headers indicating the sunset date
• Migration Guides: Upmos provides detailed migration documentation and code examples for all deprecations
• Migration Support: Booming Plan sellers receive dedicated migration assistance from the Developer Relations team

Breaking Changes

Upmos considers the following to be breaking changes (requiring a new major version):

• Removal or renaming of existing API endpoints, fields, or parameters
• Changes to response structure or data types of existing fields
• Changes to authentication or authorization mechanisms
• Changes to error response formats or status codes for existing error conditions

SDK & Client Libraries

Official SDKs

Upmos provides officially maintained SDKs for the most popular programming languages and platforms. All SDKs are open-source and available on GitHub.

SDK Features

• Automatic Authentication: Built-in OAuth 2.0 token management with automatic refresh
• Rate Limit Handling: Automatic retry with exponential backoff when rate limits are hit
• Pagination Helpers: Iterators that transparently handle cursor-based pagination
• Type Safety: Full type definitions for all API models (TypeScript types, Python dataclasses, Java POJOs)
• Webhook Verification: Built-in HMAC-SHA256 signature verification helpers
• Error Handling: Typed exceptions for all error codes with retry recommendations

Community & Third-Party Libraries

• Community-contributed SDKs will be listed in the Developer Portal Community Libraries (rolling out)
• Upmos does not guarantee the quality, security, or maintenance of community libraries
• Developers may generate custom clients from the OpenAPI 3.1 specification using OpenAPI Generator or similar tools

Sandbox & Testing

Sandbox Environment

• All API users have access to the Upmos Sandbox at sandbox-api.upmos.com
• The sandbox mirrors production API behavior but uses test data only. No real orders, payments, or customer data are involved
• Sandbox API keys are separate from production keys and are prefixed with upmos_test_
• Rate limits in sandbox are 50% lower than production to prevent resource abuse

Test Data

• Upmos provides pre-populated test catalogs, test orders, and test buyer accounts for sandbox testing
• Test payment methods (including test credit card numbers) are available for end-to-end order flow testing
• Webhook testing tools allow simulating events without creating real transactions

Production Testing

• Before going live, all integrations must pass a certification review by the Upmos Developer Relations team
• Certification includes: authentication flow, error handling, rate limit compliance, webhook verification, and data handling review
• Certification results are communicated within 10 business days of submission

Webhook Events & Delivery

Available Webhook Events

Webhooks deliver real-time notifications to your registered endpoint URL when events occur on the Upmos platform. Subscribe to events via the Developer Portal or the /v1/webhooks API.

Webhook Delivery & Retry Policy

• Webhooks are delivered via HTTP POST to your registered endpoint URL with a JSON payload
• Your endpoint must return an HTTP 2xx response within 10 seconds to acknowledge receipt
• Failed deliveries (non-2xx response or timeout) are retried with exponential backoff:

Webhook Security

• Every webhook includes an X-Upmos-Signature header containing an HMAC-SHA256 signature computed with your webhook secret
• Every webhook includes an X-Upmos-Timestamp header. Reject events older than 5 minutes to prevent replay attacks
• Webhook endpoints must use HTTPS (TLS 1.2+). HTTP endpoints are not supported
• Each webhook event includes a unique event_id for deduplication. Your system should track processed event IDs to handle potential duplicate deliveries

Dead Letter Queue

• After all 5 retry attempts fail, the event is moved to a Dead Letter Queue (DLQ) accessible via the Developer Portal
• DLQ events are retained for 30 days and can be manually replayed
• If your endpoint fails to respond for 7 consecutive days, the webhook subscription is automatically paused with an email notification

Prohibited Uses

• Scraping & Crawling: Using the APIs to systematically scrape, crawl, or index Upmos data for purposes outside the authorized scope
• Load Testing Production: Running stress tests, load tests, or benchmarks against the production API without prior written approval
• Data Harvesting: Collecting buyer data, seller data, or marketplace data for sale to third parties or for building competing databases
• Automated Account Creation: Using the APIs to create, modify, or manage seller accounts in violation of the MPA
• Price Manipulation: Using the APIs to implement automated pricing strategies that violate fair pricing policies (e.g., algorithmic price gouging during emergencies)
• Circumventing Controls: Using multiple API keys, IP addresses, or accounts to circumvent rate limits, quotas, or access restrictions
• Malware Distribution: Distributing applications that contain malware, spyware, or other malicious code through any integration using the Go APIs
• Unauthorized Access: Attempting to access API endpoints, data, or functionality beyond your authorized scope

Liability & Disclaimers

API Provided “As Is”

The Go APIs are provided “AS IS” and “AS AVAILABLE” without warranty of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, and non-infringement. Upmos does not warrant that the APIs will be uninterrupted, error-free, or free of harmful components.

Limitation of Liability

• Upmos’s total aggregate liability for all claims related to the APIs shall not exceed the greater of (a) the total fees paid by you to Upmos in the twelve (12) months preceding the event giving rise to the claim, or (b) one hundred U.S. dollars (USD $100). This cap is identical to the Limitation of Liability provision in the General Provisions section below and does not apply to any liability that cannot be limited under applicable law.
• Upmos is not liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, business, or goodwill
• Upmos is not liable for any damages resulting from the actions or omissions of third-party services, hosting providers, or network carriers

Indemnification

You shall indemnify, defend, and hold harmless Upmos from any claims, damages, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising from your use of the APIs, your applications, or your violation of these API Terms or applicable law.

Suspension & Termination

Suspension Triggers

• Security Threat: Immediate suspension if an integration poses a security risk to the Upmos platform, sellers, or buyers
• Rate Limit Abuse: Persistent violation of rate limits (>500 HTTP 429 responses in 24 hours)
• Policy Violation: Violation of prohibited uses, data usage restrictions, or security requirements
• Account Suspension: If the underlying seller account is suspended, API access is simultaneously suspended
• Inactivity: API keys unused for 12+ months may be automatically deactivated (with 30 days’ email notice)

Termination

• Upmos may terminate API access for material breach of these API Terms with 30 days’ notice (except for security threats, which may result in immediate termination)
• You may terminate API access at any time by revoking your API keys through the Developer Portal
• Upon termination, all stored API data must be deleted in accordance with the NDA and Data Usage requirements

Effect of Termination

• All API keys and access tokens are immediately invalidated
• Webhook deliveries cease immediately
• Cached data must be deleted within 30 days
• Provisions regarding data deletion, confidentiality, indemnification, and liability survive termination

Contact & Support

Contact Information

• Developer Relations: developers@upmos.com
• Security Reports: security@upmos.com
• Vendor Support: vendors@upmos.com
• Phone: 1-855-MERCHED (1-855-637-2433)
• Developer Portal: developers.upmos.com (rolling out)
• API Status: the API status page (rolling out)

Developer Support Tiers

Upmos offers two Developer Support tiers to meet the needs of sellers and third-party developers at every stage of their integration journey.

Support Tier Comparison

Basic Support (Free) — What’s Included

• Email support at developers@upmos.com with a 48 business-hour response SLA
• Full access to the Upmos Developer Knowledge Base, API reference documentation, and interactive OpenAPI explorer
• Community forums for peer-to-peer discussions, code sharing, and best practices
• Sandbox environment at sandbox-api.upmos.com for development and testing
• Official SDKs for Python, Node.js, PHP, Java, C#, Ruby, and Go with auto-auth and retry logic (rolling out)
• API status page (rolling out) with real-time uptime monitoring and incident history
• Available to all seller plans (G30, Booming, Booming Annual, Reserve, Loyalty) at no additional cost

Premium Support — Everything in Basic Plus

• 4-hour response SLA during business hours (Mon–Fri, 8 AM–8 PM CT) — 12x faster than Basic
• Direct phone support with the developer relations team at 1-855-MERCHED (1-855-637-2433), option 2
• Priority ticket queue — your issues are escalated ahead of standard support tickets
• Dedicated account manager — a named point of contact who knows your integration inside and out
• Hands-on migration assistance for moving from Amazon SP-API, Shopify, WooCommerce, or other platforms to Go APIs
• Private Slack channel with direct access to the Upmos developer engineering team
• Monthly integration reviews — scheduled calls to review API usage, performance, error rates, and optimization opportunities
• Early access to beta APIs — test new endpoints and features before they go live
• Fast-tracked rate limit increases processed within 1 business day (vs. 3 days for Basic)
• Architecture consultation — guidance on best practices for high-volume, multi-seller, and multi-channel integrations

To upgrade: Contact developers@upmos.com or call 1-855-MERCHED (1-855-637-2433) to activate Premium Developer Support. Cancel anytime with 30 days’ notice.

Related Documents

• Marketplace Participation Agreement (MPA)
• Service Level Agreement (SLA)
• Non-Disclosure & Confidentiality Agreement (NDA)
• Advertising & Sponsored Products Terms
• Data Processing Agreement (DPA) — available upon request via privacy@upmos.com
• Privacy Policy
• Acceptable Use Policy (AUP)

General Provisions

Relationship to Master Agreement

This API & Developer Terms of Use (“API Terms”) is supplemental to and incorporated by reference into the Marketplace Participation Agreement (“MPA”) between Seller and Upmos Inc.. In the event of any conflict between this API Terms and the MPA, the terms of the MPA shall control unless this API Terms explicitly states otherwise. Capitalized terms not defined herein shall have the meanings assigned to them in the MPA.

Governing Law & Jurisdiction

This agreement shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflicts of law principles. Subject to the Dispute Resolution & Binding Arbitration section below, the exclusive venue for any action permitted to be brought in court — including an action to compel arbitration, to confirm or enforce an arbitration award, or to seek the injunctive relief described in that section — shall be the state or federal courts located in Harris County, Texas, and each party irrevocably consents to such jurisdiction and venue. This provision does not override the parties’ agreement to arbitrate; in the event of any conflict, the Dispute Resolution & Binding Arbitration section controls.

Force Majeure

Neither party shall be liable for any failure or delay in performing its obligations under this agreement (other than payment obligations) where such failure or delay results from circumstances beyond the reasonable control of the affected party, including but not limited to: acts of God, natural disasters, pandemic, epidemic, war, terrorism, riots, embargoes, government orders or actions, power failures, internet or telecommunications failures, cyberattacks, or labor disputes. The affected party shall:

• Provide prompt written notice to the other party describing the force majeure event;
• Use commercially reasonable efforts to mitigate the impact and resume performance;
• Resume performance promptly upon cessation of the force majeure event.

If a force majeure event continues for more than ninety (90) consecutive days, either party may terminate this agreement upon thirty (30) days’ written notice without liability.

Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, UPMOS’S TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED THE GREATER OF (A) THE TOTAL FEES PAID BY SELLER TO UPMOS IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) ONE HUNDRED U.S. DOLLARS (USD $100). IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS, DATA, BUSINESS OPPORTUNITIES, OR GOODWILL, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE OR WHETHER EITHER PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Severability

If any provision of this agreement is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties’ original intent.

Entire Agreement

This API & Developer Terms of Use, together with the Marketplace Participation Agreement (MPA), the Service Level Agreement (SLA), and all other agreements and policies incorporated by reference therein, constitutes the entire agreement between the parties regarding the subject matter hereof. This agreement supersedes all prior or contemporaneous oral or written communications, proposals, and representations regarding the same subject matter.

Waiver

No failure or delay by either party in exercising any right, power, or remedy under this agreement shall operate as a waiver thereof. No single or partial exercise of any right shall preclude further exercise of that right or any other right. A waiver of any breach shall not constitute a waiver of any subsequent breach.

Assignment

Neither party may assign or transfer this agreement or any rights or obligations hereunder without the prior written consent of the other party, except that either party may assign this agreement in connection with a merger, acquisition, corporate reorganization, or sale of substantially all of its assets, provided the assignee assumes all obligations under this agreement.

Amendment & Modification

Upmos may update this agreement from time to time. Material changes will be communicated with at least thirty (30) days’ notice through the Bloom Dashboard or email. Continued participation on the Upmos Marketplace after the effective date of any amendment constitutes acceptance of the updated terms.

Dispute Resolution & Binding Arbitration

Any dispute, claim, or controversy arising out of or relating to this API & Developer Terms of Use, its breach, termination, enforcement, interpretation, or validity (collectively, “Disputes”) shall be resolved by binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules. The arbitration shall be conducted in Harris County, Texas. The arbitrator shall have the authority to award any remedy available at law or equity. Judgment on the arbitration award may be entered in any court of competent jurisdiction.

Pre-Arbitration Notice: Before initiating arbitration, the disputing party must provide the other party with written notice describing the nature of the dispute and the relief sought. The parties shall attempt good-faith resolution for thirty (30) calendar days following such notice before commencing arbitration.

Class Action Waiver: YOU AND UPMOS EACH IRREVOCABLY WAIVE THE RIGHT TO PARTICIPATE IN ANY CLASS, COLLECTIVE, OR REPRESENTATIVE ACTION, OR TO CONSOLIDATE ARBITRATION PROCEEDINGS WITHOUT THE CONSENT OF ALL PARTIES. ALL CLAIMS MUST BE BROUGHT ON AN INDIVIDUAL BASIS.

Jury Trial Waiver: TO THE FULLEST EXTENT PERMITTED BY LAW, EACH PARTY IRREVOCABLY WAIVES ITS RIGHT TO A TRIAL BY JURY IN ANY ACTION OR PROCEEDING ARISING OUT OF OR RELATED TO THIS AGREEMENT.

Injunctive Relief Carve-out: Notwithstanding the foregoing, either party may seek emergency injunctive or other equitable relief from a court of competent jurisdiction to prevent irreparable harm pending resolution of a dispute through arbitration, including but not limited to relief related to intellectual property infringement, unauthorized API access, credential misuse, or breach of confidentiality obligations. Seeking such relief shall not waive either party’s right to compel arbitration of the underlying dispute.

Arbitration Confidentiality: All arbitration proceedings, including filings, submissions, and the award, shall be kept strictly confidential and may not be disclosed to any third party except as required by law or to enforce the award.

Arbitration Fees: The AAA’s filing fees shall be governed by the AAA Commercial Arbitration Rules. UPMOS will advance filing and administrative fees for Disputes where the amount in controversy is less than USD $10,000 (excluding attorneys’ fees). If the arbitrator determines that any claim or defense is frivolous, the opposing party may recover reasonable attorneys’ fees and costs.

No Oral Modifications

This Agreement may not be amended, modified, supplemented, or waived except by a written instrument signed by duly authorized representatives of both parties. No oral statement, course of conduct, course of dealing, or trade usage shall operate as a modification of this Agreement. An employee’s or agent’s verbal representations or commitments that are inconsistent with this Agreement are not binding on UPMOS.

Contra Proferentem Waiver

This Agreement shall be construed without regard to any presumption or rule requiring construction or interpretation against the party causing this Agreement to be drafted. Both parties acknowledge that each has had the opportunity to review this Agreement and negotiate its terms.

Headings Not Controlling

Section headings and titles used in this Agreement are for convenience and reference only and shall not affect the construction or interpretation of any provision of this Agreement.

Governing Language

This Agreement is executed in the English language, which shall be the governing and controlling language for all purposes. Any translation of this Agreement into another language is provided for convenience only and shall have no legal effect.

Counterparts & Electronic Execution

This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic acceptance (including clicking “I Agree,” API key activation, or continued API use following publication of these Terms) shall constitute a valid and binding signature under applicable law, including the Electronic Signatures in Global and National Commerce Act (E-SIGN) and the Uniform Electronic Transactions Act (UETA).

Shortened Limitation Period

To the fullest extent permitted by applicable law, any claim or cause of action arising out of or relating to this Agreement or the API services must be commenced within one (1) year after the claim or cause of action accrues, regardless of any statute of limitations to the contrary. Any claim not brought within this period is permanently barred. This shortened limitation period does not apply to UPMOS’s claims for non-payment of fees.

No Third-Party Beneficiaries

This Agreement is entered into solely for the benefit of the parties hereto. Nothing in this Agreement, express or implied, is intended to or shall confer upon any other person or entity any legal or equitable right, benefit, or remedy of any nature whatsoever under or by reason of this Agreement.

Relationship of Parties

The parties are independent contractors. Nothing in this Agreement creates or shall be construed to create any partnership, joint venture, agency, franchise, employment, or fiduciary relationship between the parties. Neither party has the authority to bind the other party or to incur any obligation on the other party’s behalf.

Liquidated Damages

The parties acknowledge that UPMOS’s actual damages resulting from unauthorized API use, credential sharing, rate limit circumvention, scraping, or violations of the data usage restrictions in this Agreement would be difficult or impossible to calculate precisely. Accordingly, in the event of such violations, Developer agrees to pay UPMOS liquidated damages of USD $500 per day per violation (and not as a penalty), which the parties agree is a reasonable pre-estimate of the harm caused. This remedy is in addition to, and not in lieu of, any other remedies available to UPMOS at law or equity.

Insurance Requirements

Developers whose applications process payment data, handle buyer personal information, or generate more than 500,000 API calls per month shall maintain, at their own expense, throughout the term of this Agreement:

• Commercial General Liability: Minimum $1,000,000 per occurrence / $2,000,000 aggregate;
• Errors & Omissions / Technology Professional Liability: Minimum $1,000,000 per claim;
• Cyber Liability & Data Breach: Minimum $500,000 per incident.

UPMOS shall be named as an additional insured on CGL and E&O policies. Certificates of insurance shall be provided to UPMOS upon request within five (5) business days.

IP Indemnification Carve-out

If Developer’s application, data, or content submitted via the API is alleged to infringe any third-party intellectual property rights, Developer shall, at Developer’s option and expense: (a) obtain a license for UPMOS and any affected parties to continue using the allegedly infringing item; (b) modify the item to make it non-infringing while preserving its material functionality; or (c) remove the infringing item from the Platform. This obligation is in addition to Developer’s indemnification obligations under the Indemnification section of this Agreement.

UPMOS Platform IP Ownership

UPMOS and its licensors retain all right, title, and interest in and to the UPMOS Platform, APIs, SDKs, webhooks, documentation, data schemas, response formats, and all intellectual property rights therein. No provision of this Agreement transfers any ownership interest in UPMOS’s intellectual property to Developer. The limited license granted to Developer under this Agreement is non-exclusive, non-sublicensable, non-transferable, and revocable. Developer shall not represent or imply that it owns any UPMOS intellectual property.

Feedback & Suggestions

If Developer provides UPMOS with any feedback, suggestions, ideas, enhancement requests, or recommendations regarding the API, SDKs, documentation, or Platform (collectively, “Feedback”), Developer hereby irrevocably assigns to UPMOS all right, title, and interest in such Feedback, including all intellectual property rights. UPMOS may use, incorporate, modify, and commercialize Feedback without restriction, attribution, or compensation to Developer.

DMCA Compliance & Copyright

Developers must not use the API to access, reproduce, distribute, or create derivative works of any UPMOS content or third-party content in violation of applicable copyright law, including the Digital Millennium Copyright Act (17 U.S.C. § 512). UPMOS’s designated Copyright Agent for DMCA notices is the Legal Department, UPMOS, LLC, reachable at legal@upmos.com. Repeat infringers will have their API access terminated.

Security Breach & Incident Notification

Developer must notify UPMOS in writing within forty-eight (48) hours of discovering or reasonably suspecting any of the following: (a) unauthorized access to or disclosure of UPMOS data, buyer data, or credentials obtained via the API; (b) a security vulnerability in Developer’s application that could expose UPMOS data or systems; (c) any loss, theft, or compromise of API keys or access tokens; or (d) any breach of Developer’s systems that may have affected data accessed via the Go API. Notification must be sent to security@upmos.com and must describe the nature of the incident, data potentially affected, steps taken to contain it, and contact information for Developer’s security team. Developer shall cooperate fully with UPMOS’s investigation and shall not make any public disclosure regarding the incident without UPMOS’s prior written consent, except as required by applicable law.

Export Controls & OFAC Compliance

Developer represents and warrants that it is not: (a) located in, organized under the laws of, or ordinarily resident in a country or territory subject to comprehensive U.S. embargo or sanctions (including Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions); (b) identified on the U.S. Department of the Treasury’s Specially Designated Nationals and Blocked Persons List (SDN List), the Denied Parties List, or any other applicable sanctions or restricted-party list; or (c) otherwise prohibited from receiving U.S.-origin software, technology, or services under applicable U.S. export control laws, including the Export Administration Regulations (EAR) and Office of Foreign Assets Control (OFAC) regulations. Developer shall not use the API in any manner that would cause UPMOS to violate applicable export control or sanctions laws. UPMOS reserves the right to immediately terminate API access if it determines that Developer is in violation of this provision.

Anti-Bribery & Anti-Corruption

Developer represents, warrants, and covenants that in connection with this Agreement and its use of the Go API, Developer will not, directly or indirectly, offer, pay, promise, or authorize the payment of anything of value to any government official, political party, party official, candidate for political office, or any other person for the purpose of influencing any official act or decision in violation of the U.S. Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, or any other applicable anti-bribery or anti-corruption laws. Developer shall maintain adequate internal controls to prevent and detect any violation of applicable anti-bribery laws and shall promptly report to UPMOS any actual or suspected violation of this provision.

Fee Change Notice

UPMOS may modify API subscription fees, overage rates, or any other fees applicable under this Agreement upon thirty (30) days’ advance notice delivered via the Bloom Dashboard, email to Developer’s registered address, or the Platform’s notification system. Continued API use after the effective date of any fee change constitutes acceptance of the revised pricing. Fee changes apply at the next annual renewal date; current annual subscribers will not be subject to mid-term fee increases.

Late Payment & Interest

All undisputed amounts payable under this Agreement are due within thirty (30) days of the invoice date. Any amounts not paid when due shall accrue interest at the lesser of: (a) 1.5% per month (18% per annum); or (b) the maximum rate permitted by applicable law, from the due date until paid in full. UPMOS reserves the right to suspend API access upon thirty (30) days’ written notice if any undisputed invoice remains outstanding beyond sixty (60) days of its due date.

Right to Cure

For a first-time material breach of this Agreement that does not involve fraud, unauthorized data access, credential sharing, active security exploitation, or violation of the Export Controls & OFAC Compliance or Anti-Bribery & Anti-Corruption provisions, UPMOS will, where practicable, provide Developer with written notice of the breach and a period of ten (10) business days from the date of such notice to cure the breach to UPMOS’s reasonable satisfaction before suspending or terminating API access. If the breach is cured within the cure period, UPMOS will not exercise its suspension or termination rights arising from that specific breach. The right to cure does not apply to repeated breaches of the same or similar nature (two or more occurrences within any twelve-month period).

Audit Rights

UPMOS reserves the right, upon reasonable prior written notice of not less than five (5) business days (or immediately and without notice in the event of suspected security breach, unauthorized access, or material breach), to audit Developer’s compliance with this Agreement, including but not limited to: (a) review of API call logs, authentication records, and data access patterns; (b) verification that Developer’s application complies with the security requirements and data usage restrictions in this Agreement; (c) confirmation that required insurance certificates are current; and (d) verification of compliance with export control and anti-bribery obligations. Developer shall retain all records and documentation necessary to demonstrate compliance for a period of three (3) years following the expiration or termination of this Agreement and shall make such records available to UPMOS upon request. UPMOS shall bear its own audit costs unless the audit reveals a material breach, in which case Developer shall reimburse UPMOS for reasonable audit costs.

Non-Solicitation

During the term of this Agreement and for a period of one (1) year following its expiration or termination, Developer shall not, directly or indirectly, solicit for employment or engagement any employee, contractor, or consultant of UPMOS who Developer became aware of in connection with this Agreement, without UPMOS’s prior written consent. This restriction does not apply to general public solicitations or job postings not targeted at specific UPMOS personnel.

Non-Disparagement

Developer agrees not to make, publish, or communicate to any person or entity any false, defamatory, or disparaging remarks, comments, or statements about UPMOS, its products, services, officers, directors, employees, or business practices. This obligation shall survive the expiration or termination of this Agreement. Nothing in this provision prevents Developer from making truthful statements when required by law or regulatory authority.

Synopsis — Key API Terms

• ✅ OAuth 2.0 Authentication: Industry-standard token-based auth with 1-hour access tokens
• ✅ 99.9% Uptime SLA: With service credits for downtime below threshold
• ✅ Rate Limits by Plan: 2-20 req/sec depending on seller plan tier (G30 through Loyalty)
• ✅ 24-Month API Version Support: Minimum support window after new version release
• ✅ 12-Month Deprecation Notice: Advance warning before any major API retirement
• ✅ Sandbox Environment: Full test environment at sandbox-api.upmos.com
• ✅ HTTPS + TLS 1.2+ Required: All communication encrypted in transit
• ✅ 90-Day Buyer Data Retention: Maximum retention for buyer personal data post-order
• ✅ OpenAPI 3.1 Specification: Machine-readable API contract with interactive documentation
• ✅ Cursor-Based Pagination: Consistent, scalable pagination across all list endpoints
• ✅ Official SDKs (rolling out): Python, Node.js, PHP, Java, C#, Ruby, and Go with auto-auth and retry
• ✅ 16+ Webhook Event Types: Real-time notifications with 5-retry delivery guarantee and DLQ
• ✅ SOC 2 Type II (in progress): Controls aligned with SOC 2 Type II; independent examination underway, with annual third-party penetration testing
• ✅ 10 Core API Resource Categories: Products, Orders, Inventory, Shipments, Pricing, Advertising, and more
• ✅ Idempotency Support: Idempotency-Key headers prevent duplicate operations on retries
• ✅ Developer Support Tiers: Basic (Free) includes email, docs, forums, sandbox, and all 7 SDKs; Premium adds phone support, 4hr SLA, dedicated account manager, Slack channel, and beta access
• ✅ API Is Optional: The Bloom Dashboard handles everything for most sellers. API access (an optional paid subscription — see current pricing) is for vendors who need automation, multi-channel sync, ERP integration, or third-party app development